1. Overview

Some time ago, I was automating a few tasks with PowerShell and needed to set NTFS permissions on a folder. I was tempted to use the good old ICACLS.EXE command line, but I wanted to keep it all within PowerShell. While there are a number of different permissions you could want to set for a folder, my specific case called the following:

-          Create a new folder

-          Check the default permissions on the new folder

-          Turn off inheritance on that folder, removing existing inherited permissions from the parent folder

-          Grant “Full Control” permissions to Administrators, propagating via inheritance to files and subfolders

-          Grant “Read” permissions to Users, propagating via inheritance to files and subfolders

-          Review the permissions on the folder

2. The old ICACLS

In the old CMD.EXE world, you would use ICACLS.The commands would look like this:

-          MD F:\Folder

-          ICACLS F:\Folder

-          ICACLS F:\Folder /INHERITANCE:R

-          ICACLS F:\Folder /GRANT Administrators:(CI)(OI)F

-          ICACLS F:\Folder /GRANT Users: (CI)(OI)R

-          ICACLS F:\Folder

新建共享rollback,赋予 ddv\test01、Administrators用户完全控制权限

mkdir d:\rollback
net share rollback=d:\rollback /GRANT:ddv\test01,FULL /GRANT:administrators,FULL

cacls D:\ /T /E /C /G Users:F
cacls D:\ /T /E /C /P everyone:R

3. The PowerShell way

After some investigation, I found the PowerShell cmdlets to do the same things. You essentially rely on Get-Acl and Set-Acl to get, show and set permissions on a folder. Unfortunately, there are no cmdlets to help with the actual manipulation of the permissions. However, you can use a few .NET classes and methods to do the work. Here’s what I ended up with:

-          New-Item F:\Folder –Type Directory

-          Get-Acl F:\Folder | Format-List

-          $acl = Get-Acl F:\Folder

-          $acl.SetAccessRuleProtection($True, $False)

-          $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

-          $acl.AddAccessRule($rule)

-          $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

-          $acl.AddAccessRule($rule)

-          Set-Acl F:\Folder $acl

-          Get-Acl F:\Folder  | Format-List

4. Looking at the output

To show how this works, here’s the output you should get from those commands. Be sure to use the option to “Run as Administrator” if you’re creating a folder outside your user’s folders. Note that I made a few changes from the cmdlets shown previously. I also included couple of calls to the GetAccessRules method to get extra details about the permissions.

PS F:\> New-Item F:\Folder -Type Directory

Directory: F:\

Mode                LastWriteTime     Length Name

----                -------------     ------ ----

d----         11/6/2010   8:10 PM            Folder

PS F:\> $acl = Get-Acl F:\Folder

PS F:\> $acl | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::F:\Folder

Owner  : BUILTIN\Administrators

Group  : NORTHAMERICA\Domain Users

Access : BUILTIN\Administrators Allow  FullControl

BUILTIN\Administrators Allow  268435456

NT AUTHORITY\SYSTEM Allow  FullControl

NT AUTHORITY\SYSTEM Allow  268435456

NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize

NT AUTHORITY\Authenticated Users Allow  -536805376

BUILTIN\Users Allow  ReadAndExecute, Synchronize

BUILTIN\Users Allow  -1610612736

Audit  :

Sddl   : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID

;GA;;;SY)(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGWGR;;;AU)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)

PS F:\> $acl.GetAccessRules($true, $true, [System.Security.Principal.NTAccount])

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : 268435456

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : NT AUTHORITY\SYSTEM

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : 268435456

AccessControlType : Allow

IdentityReference : NT AUTHORITY\SYSTEM

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : Modify, Synchronize

AccessControlType : Allow

IdentityReference : NT AUTHORITY\Authenticated Users

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : -536805376

AccessControlType : Allow

IdentityReference : NT AUTHORITY\Authenticated Users

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

FileSystemRights  : ReadAndExecute, Synchronize

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : True

InheritanceFlags  : None

PropagationFlags  : None

FileSystemRights  : -1610612736

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : True

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : InheritOnly

PS F:\> $acl.SetAccessRuleProtection($True, $False)

PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

PS F:\> $acl.AddAccessRule($rule)

PS F:\> $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")

PS F:\> $acl.AddAccessRule($rule)

PS F:\> Set-Acl F:\Folder $acl

PS F:\> Get-Acl F:\Folder  | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::F:\Folder

Owner  : BUILTIN\Administrators

Group  : NORTHAMERICA\Domain Users

Access : BUILTIN\Administrators Allow  FullControl

BUILTIN\Users Allow  Read, Synchronize

Audit  :

Sddl   : O:BAG:S-1-5-21-124525095-708259637-1543119021-513D:PAI(A;OICI;FA;;;BA)(A;OICI;FR;;;BU)

PS F:\> (Get-Acl F:\Folder).GetAccessRules($true, $true, [System.Security.Principal.NTAccount])

FileSystemRights  : FullControl

AccessControlType : Allow

IdentityReference : BUILTIN\Administrators

IsInherited       : False

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : None

FileSystemRights  : Read, Synchronize

AccessControlType : Allow

IdentityReference : BUILTIN\Users

IsInherited       : False

InheritanceFlags  : ContainerInherit, ObjectInherit

PropagationFlags  : None

PS F:\>

5. Controlling parent folder inheritance

The script uses SetAccessRuleProtection, which is a method to control whether inheritance from the parent folder should be blocked ($True means no Inheritance) and if the previously inherited access rules should be preserved ($False means remove previously inherited permissions).

6. Building the access rules

To build a new access rule, the script also uses the New-Object cmdlet and specify the full name of the FileSystemAccessRule class. There are many constructors for this specific class of objects. I used one of the more complete ones, which takes 5 parameters:

-          Identity (name of the user or group)

-          Rights (including the common Read, Write, Modify and FullControl, among many others)

-          Inheritance Flags (including None, ContainerInherit or ObjectInheritance)

-          Propagation Flags (including None or InheritOnly, among others)

-          Type (Allow or Deny)

I am using the .NET classes in this part, and that’s why you have to use the full name of the class (like System.Security.AccessControl.FileSystemAccessRule) and the full name of the data types (like [System.Security.Accesscontrol.InheritanceFlags]).

7. Using variables

The script also uses a few variables (names starting with a $ sign). In order to change the permissions, for instance, I started by copying the existing ACL to a variable called $acl using the Get-Acl cmdlet. Next, I modified $acl in memory and finally I applied the $acl back to the folder using Set-Acl cmdlet. You could avoid using the $rule variable, but your code would get a bit more complex. For instance, I could change the script shown previously to use only the $acl variable:

-          $acl = Get-Acl F:\Folder

-          $acl.SetAccessRuleProtection($True, $False)

-          $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")))

-          $acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Users","Read", "ContainerInherit, ObjectInherit", "None", "Allow")))

-          Set-Acl F:\Folder $acl

This does cut 2 lines from that section of the script. While I see of lot of fans of using a smaller number of command lines (even if they are longer command lines), I find the version that uses the additional $rule variable easier to understand.

8. Default permissions

You might have noticed that the initial attributes for the folder includes quite a few inherited permissions. Those are inherited from the parent folder F:\, and are the default permissions when you format an NTFS volume. Here are they in a nicely formatted table:

Identity

Type

Rights

BUILTIN\Administrators

Allow

FullControl

BUILTIN\Administrators

Allow

268435456

NT AUTHORITY\SYSTEM

Allow

FullControl

NT AUTHORITY\SYSTEM

Allow

268435456

BUILTIN\Users

Allow

ReadAndExecute, Synchronize

NT AUTHORITY\Authenticated Users

Allow

Modify, Synchronize

NT AUTHORITY\Authenticated Users

Allow

-536805376

Some of the rights are fully spelled out (like “Full Control”, “Modify”, “Read”, “Write”, “Synchronize” and “ReadAndExecute”). More complex combinations are shown as numbers. The infrastructure only translates the numeric code into text for the most common ones.

9. Setting the Owner

Another fairly common operation is setting a new owner for a folder. This is useful when provisioning a folder for a specific user and wanting to give the user the ownership of the folder itself. It’s also handy if a administrator has been locked out of a folder. If I am the administrator, I can set the owner to myself  and then grant myself permissions to access the folder. In CMD.EXE, you would use

-          ICACLS F:\Folder /SETOWNER Administrators

The PowerShell equivalent would be:

-          $acl = Get-Acl F:\Folder

-          $acl.SetOwner([System.Security.Principal.NTAccount] "Administrators")

-          Set-Acl F:\Folder $acl

10. It’s actually a Security Descriptor

The information returned by Get-Acl is actually better described as a “Security Descriptor”, not really an ACL (Access Control List). It contains a number of security-related information, including the Owner, the Group Owner, the Discretionary Access Control List (also known as DACL, which is where we added the two rules), the Audit Access Control List (also known as SACL). Technically, adding the two rules actually adds two ACEs (Access Control Entries) to the DACL (Discretionary Access Control List).

Also listed by Get-ACL is SDDL string. The SDDL a string that combines all the information returned by Get-Acl in a single string. It’s a bit hard to parse for humans, but it’s closer to the internal representation.

11. Looking at the other methods

There are a number of additional methods available to handle the Security Descriptor returned by Get-Acl. If you want to look into them, just pipe the output to Get-Member. See the example below:

PS F:\> Get-Acl F:\Folder | Get-Member

TypeName: System.Security.AccessControl.DirectorySecurity

Name                            MemberType     Definition

----                            ----------     ----------

Access                          CodeProperty   System.Security.AccessControl.AuthorizationRuleCollection Access{get=...

Group                           CodeProperty   System.String Group{get=GetGroup;}

Owner                           CodeProperty   System.String Owner{get=GetOwner;}

Path                            CodeProperty   System.String Path{get=GetPath;}

Sddl                            CodeProperty   System.String Sddl{get=GetSddl;}

AccessRuleFactory               Method         System.Security.AccessControl.AccessRule AccessRuleFactory(System.Sec...

AddAccessRule                   Method         System.Void AddAccessRule(System.Security.AccessControl.FileSystemAcc...

AddAuditRule                    Method         System.Void AddAuditRule(System.Security.AccessControl.FileSystemAudi...

AuditRuleFactory                Method         System.Security.AccessControl.AuditRule AuditRuleFactory(System.Secur...

Equals                          Method         bool Equals(System.Object obj)

GetAccessRules                  Method         System.Security.AccessControl.AuthorizationRuleCollection GetAccessRu...

GetAuditRules                   Method         System.Security.AccessControl.AuthorizationRuleCollection GetAuditRul...

GetGroup                        Method         System.Security.Principal.IdentityReference GetGroup(type targetType)

GetHashCode                     Method         int GetHashCode()

GetOwner                        Method         System.Security.Principal.IdentityReference GetOwner(type targetType)

GetSecurityDescriptorBinaryForm Method         byte[] GetSecurityDescriptorBinaryForm()

GetSecurityDescriptorSddlForm   Method         string GetSecurityDescriptorSddlForm(System.Security.AccessControl.Ac...

GetType                         Method         type GetType()

ModifyAccessRule                Method         bool ModifyAccessRule(System.Security.AccessControl.AccessControlModi...

ModifyAuditRule                 Method         bool ModifyAuditRule(System.Security.AccessControl.AccessControlModif...

PurgeAccessRules                Method         System.Void PurgeAccessRules(System.Security.Principal.IdentityRefere...

PurgeAuditRules                 Method         System.Void PurgeAuditRules(System.Security.Principal.IdentityReferen...

RemoveAccessRule                Method         bool RemoveAccessRule(System.Security.AccessControl.FileSystemAccessR...

RemoveAccessRuleAll             Method         System.Void RemoveAccessRuleAll(System.Security.AccessControl.FileSys...

RemoveAccessRuleSpecific        Method         System.Void RemoveAccessRuleSpecific(System.Security.AccessControl.Fi...

RemoveAuditRule                 Method         bool RemoveAuditRule(System.Security.AccessControl.FileSystemAuditRul...

RemoveAuditRuleAll              Method         System.Void RemoveAuditRuleAll(System.Security.AccessControl.FileSyst...

RemoveAuditRuleSpecific         Method         System.Void RemoveAuditRuleSpecific(System.Security.AccessControl.Fil...

ResetAccessRule                 Method         System.Void ResetAccessRule(System.Security.AccessControl.FileSystemA...

SetAccessRule                   Method         System.Void SetAccessRule(System.Security.AccessControl.FileSystemAcc...

SetAccessRuleProtection         Method         System.Void SetAccessRuleProtection(bool isProtected, bool preserveIn...

SetAuditRule                    Method         System.Void SetAuditRule(System.Security.AccessControl.FileSystemAudi...

SetAuditRuleProtection          Method         System.Void SetAuditRuleProtection(bool isProtected, bool preserveInh...

SetGroup                        Method         System.Void SetGroup(System.Security.Principal.IdentityReference iden...

SetOwner                        Method         System.Void SetOwner(System.Security.Principal.IdentityReference iden...

SetSecurityDescriptorBinaryForm Method         System.Void SetSecurityDescriptorBinaryForm(byte[] binaryForm), Syste...

SetSecurityDescriptorSddlForm   Method         System.Void SetSecurityDescriptorSddlForm(string sddlForm), System.Vo...

ToString                        Method         string ToString()

PSChildName                     NoteProperty   System.String PSChildName=test

PSDrive                         NoteProperty   System.Management.Automation.PSDriveInfo PSDrive=C

PSParentPath                    NoteProperty   System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\

PSPath                          NoteProperty   System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\test

PSProvider                      NoteProperty   System.Management.Automation.ProviderInfo PSProvider=Microsoft.PowerS...

AccessRightType                 Property       System.Type AccessRightType {get;}

AccessRuleType                  Property       System.Type AccessRuleType {get;}

AreAccessRulesCanonical         Property       System.Boolean AreAccessRulesCanonical {get;}

AreAccessRulesProtected         Property       System.Boolean AreAccessRulesProtected {get;}

AreAuditRulesCanonical          Property       System.Boolean AreAuditRulesCanonical {get;}

AreAuditRulesProtected          Property       System.Boolean AreAuditRulesProtected {get;}

AuditRuleType                   Property       System.Type AuditRuleType {get;}

AccessToString                  ScriptProperty System.Object AccessToString {get=$toString = "";...

AuditToString                   ScriptProperty System.Object AuditToString {get=$toString = "";...

To find the specific parameters for a given method, just filter the output and pipe it to Format-List. For instance, here are the details about the GetAccessRules method used in the script:

PS F:\> Get-Acl F:\Folder | Get-Member -MemberType Method "GetAccessRules" | Format-List

TypeName   : System.Security.AccessControl.DirectorySecurity

Name       : GetAccessRules

MemberType : Method

Definition : System.Security.AccessControl.AuthorizationRuleCollection GetAccessRules(bool includeExplicit, bool includ

eInherited, type targetType)

Here’s a short version, this time looking at the definition for the SetAccessRuleProtection method:

PS F:\> Get-Acl F:\Folder | Get-Member "SetAccessRuleProtection" | FL

TypeName   : System.Security.AccessControl.DirectorySecurity

Name       : SetAccessRuleProtection

MemberType : Method

Definition : System.Void SetAccessRuleProtection(bool isProtected, bool preserveInheritance)

12. Conclusion

I hope this helped you understand how to manipulate Security Descriptors and Access Control Lists using PowerShell. ACLs are used in several other places, like Registry entries, Active Directory objects and File Shares. I’m sure that adding these abilities to your PowerShell tool belt will eventually come in handy.

As usual, the MSDN site is a great reference. You can find all the details about the methods I used here by searching for the method name on MSDN. You can also look at an overview of the methods related to Security Descriptors (with lots of links) at: http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.aspx.

Also be sure to check my other blog posts about PowerShell athttp://blogs.technet.com/b/josebda/archive/tags/powershell/.

FROM:http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx

新建共享,NTFS权限设置的更多相关文章

  1. NTFS权限设置时卡死

    客户是一家技术咨询和零部件制造的小公司,使用的文件服务器为R410上插4块1T硬盘做raid 5,服务器操作系统为windows server 2008R2,所有的设计资料的授权都是结合域账户和NTF ...

  2. Linux下mysql新建账号及权限设置各种方式总结

    来自:http://justcoding.iteye.com/blog/1941116 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连接服务器A以进行数据库操作,需要服务 ...

  3. Linux下mysql新建账号及权限设置

    http://www.cnblogs.com/eczhou/archive/2012/07/12/2588187.html 1.权限赋予 说明:mysql部署在服务器A上,内网上主机B通过客户端工具连 ...

  4. NTFS权限和共享权限的区别

    共享权限 共享权限有三种:完全控制.更改.读取 共持本地安全性.换句话说,他在同一台计算机上以不同用户名登录,对硬盘上同一文件夹可以有不同的访问权限. 注意:NTFS权限对从网络访问和本机登录的用户都 ...

  5. NTFS权限概述

    NTFS权限概述 NTFS是我常见的一种磁盘格式,在Windows系统中使用广泛,它打破了FAT的局限性.在我使用ntfs格式分区的时候经常会涉及到ntfs权限设置问题,来帮助我们对文件的处理.那么什 ...

  6. IIS中的上传目录权限设置问题

    虽然 Apache 的名声可能比 IIS 好,但我相信用 IIS 来做 Web 服务器的人一定也不少.说实话,我觉得 IIS 还是不错的,尤其是 Windows 2003 的 IIS 6(马上 Lon ...

  7. 多站点IIS用户安全权限设置

    如果我们为每个站点都建立一个用户,并设置该用户只有访问本站点的权限,那么就能将访问权限控制在每个站点文件夹内,旁注问题也就解决了 一.这样配置的好处? 不知大家有没有听过旁注?我简单的解释一下吧:有个 ...

  8. NTFS权限详解

    NTFS权限是作为一个Windows管理员必备的知识,许多经验丰富的管理员都能够很熟悉地对文件.文件夹.注册表项等进行安全性的权限设置,包括完全控制.修改.只读等.而谈论NTFS权限这个话题也算是老生 ...

  9. 利用NTFS权限与虚拟目录,在IIS 6.0的默认FTP站点中做用户隔离。

    默认FTP站点为不隔离用户站点,利用NTFS权限设置,达到仅能访问指定目录效果. 是否允许匿名连接 FTP站点主目录:站点范围内有没有用户需要上传,有的话,要勾选“写入”:具体用户使用NTFS还给予写 ...

随机推荐

  1. MYSQL数据库根据data文件中的.frm和ibd文件恢复单表数据

    数据库误操作,把表的字段删除了,关键是被删除的字段的数据很重要,现在想要恢复数据,下面说说是怎么操作的. 数据库只剩.frm和.ibd文件了,按照网上的做法分如下两步来进行:一.找回表结构,二.找回数 ...

  2. mysql show variables系统变量详解

    mysql系统变量详解 mysqld服务器维护两种变量.全局变量影响服务器的全局操作.会话变量影响具体客户端连接相关操作. 服务器启动时,将所有全局变量初始化为默认值.可以在选项文件或命令行中指定的选 ...

  3. VJ1061迎春舞会之三人组舞

    题目链接 推了半个下午..写的三重超时了  加了点单调队列的思想 优化了下过了 dp[i][j] 第二组的最右边的人选第J个人 那最左边肯定选第j-1个人 肯定是选相邻的 dp[i][j] = min ...

  4. BZOJ_1833_[ZJOI2010]_数字计数_(数位dp)

    描述 http://www.lydsy.com/JudgeOnline/problem.php?id=1833 统计\(a~b\)中数字\(0,1,2,...,9\)分别出现了多少次. 分析 数位dp ...

  5. .net web 点击链接在页面指定位置显示DIV的问题

    做了一个网页,放了两个DataList ,一个显示科室,一个显示科室中的人员,由于科室太多,一屏显示不全,为了在页面刷新时记住上次浏览位置,所以给页面加了MaintainScrollPositionO ...

  6. ☀【CSS3】box-sizing

    <!DOCTYPE html> <html lang="zh-CN"> <head> <meta charset="utf-8& ...

  7. PowerDesigner一些小技巧

    1.安装PD v12.0版 2.由pdm生成建表脚本时,字段超过15字符就发生错误(oracle) 原因未知,解决办法是打开PDM后,会出现Database的菜单栏,进入Database - Edit ...

  8. Android 开发性能优化之SparseArray(二)

    一.SparseIntArray API SparseIntArrays map integers to integers.  Unlike a normal array of integers, t ...

  9. 如何解决CHM打开乱码的问题

    1. 问题 经常碰到一些 CHM 格式的帮助文档出现乱码无法阅读的情况,而且 CHM 文档不像浏览器一样,右键可以选择字符编码,非常不便.究其原因,主要就是 CHM 文档在页面中没有指定合适的字符编码 ...

  10. STL总结之bitset

    STL的bitset是一个对位进行存储和操作的容器,可以轻松对bit位进行访问.   bitset的模板声明如下: template<size_t _Bits> class bitset; ...